How to carry out an HR data audit ahead of GDPR

The introduction of the General Data Protection Regulation (GDPR) on 25th May 2018 creates landmark changes to the way employers will have to handle and secure the personal data of their employees. Carrying out an HR data audit before this date is advised and will help employers understand the current data procedures that apply to their business and assess whether amendments are needed to these procedures.

HR data audits will look different depending on the type of business carried out, the extent of data processing and the internal data processes already in place. Basically, the audit should be used as a process to identify gaps where current data protection systems do not meet the new GDPR obligations by looking at the life cycle of HR data within the organisation.

Before the audit takes place, a process plan should be agreed on which will identify how the audit will take place and who will carry out the audit. Usually, HR representatives will be best placed to undertake the audit with additional support from other departments, such as IT or legal. Alternatively, a newly appointed data protection officer or external firm can provide an expert take on the audit. The individuals or departments who need to be spoken to as part of the audit can also be outlined in advance, such as payroll, recruitment and IT.

The audit will gather information on the type of HR data collected and what happens to this data once collected. It’s important to remember that HR data processes apply to individuals other than current employees, for example, data is collected in relation to unsuccessful job applicants, data can be received from alternative sources such as references from previous employers and data relating to ex-employees may also be retained for a period of time.

To carry out the data audit, it will be useful to design a standard questionnaire or template form which asks each department necessary questions, including: what kind of data is collected; where data is held; how the data is used; the period data is kept for; who has access to the data internally and externally; and the procedures, systems and controls in place to secure the data. The lawful basis for processing the data will also need to be catalogued to ensure there is a valid, lawful basis for this, especially as GDPR has introduced changes to previous lawful bases such as ‘consent’. Depending on the type of business, additional questions may need to be asked to fully understand how data is collected, used and stored.

Once the audit is complete, a record or report of HR data can be created. This report will be useful to show the HR data lifecycle throughout the business. It will also identify areas where current data processing systems or policies do not comply with the obligations under GDPR. Where non-compliance is identified, the business will need to outline the steps they will take to rectify this to ensure they are not breaching GDPR once this is in force. Pre-emptive action now could prevent a costly fine.